Help with creation of script to set user's home drive as read only with delete

robsmith47 · November 7, 2019, 9:21pm

Fellow PowerShell users

I was asked to put together a script to set a acl (access control list) on a Home drive. Created a .csv file as a source with the user to change which it retrieves from the username.csv file.

What I need do is to set it to “read only with delete rights”. Below is what I’ve put together so far…

#Script to set User's H drive to Read & delete only.
Import-Module 'ActiveDirectory'
import-csv H:\username.csv | foreach-object{
    $homeDrive = (Get-ADUser -Identity $_.name -Properties homedirectory).homedirectory #Query AD for the HomeDrive attribute
    $ACL = Get-Acl $homeDrive
    $ACL.setAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule($_.name, "Read", "ContainerInherit,ObjectInherit", "none", "allow")))
    $ACL.setAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule($_.name, "Delete", "ContainerInherit,ObjectInherit", "none", "allow")))
    Write-Output $homeDrive
    Write-Output $ACL
    pause
    Set-Acl $homeDrive $ACL
}

Seems like it will do one or the other but not both. Any help would be appreciated.

RS

kvprasoon · November 7, 2019, 11:09pm

you can use Read and Delete as an array @(‘Read’,‘Delete’)

New-Object System.Security.AccessControl.FileSystemAccessRule($_.name, @('Read','Delete'), "ContainerInherit,ObjectInherit", "none", "allow")

robsmith47 · November 8, 2019, 8:46am

Thank you. I will test this.

Also, how do I output all results to a txt file? Is this even possible? Still learning PS.

masterofthehat · November 8, 2019, 10:20am

If you’re seeing the results you want at the console during the execution, you can just pipe the output to Out-File.

#Script to set User's H drive to Read & delete only.
Import-Module 'ActiveDirectory'
import-csv H:\username.csv | foreach-object{
    $homeDrive = (Get-ADUser -Identity $_.name -Properties homedirectory).homedirectory #Query AD for the HomeDrive attribute
    $ACL = Get-Acl $homeDrive
    $ACL.setAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule($_.name, "Read", "ContainerInherit,ObjectInherit", "none", "allow")))
    $ACL.setAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule($_.name, "Delete", "ContainerInherit,ObjectInherit", "none", "allow")))
    Write-Output $homeDrive
    Write-Output $ACL
    pause
    Set-Acl $homeDrive $ACL
} | Out-File -Path C:\outputFolder\Output.txt

robsmith47 · November 8, 2019, 11:31am

kvprasoon

Thanks for your tip. Can i ask why the following line is with a @( ?

@(‘Read’,‘Delete’)

masterofthehat · November 8, 2019, 11:56am

Makes it an array of strings.

robsmith47 · November 8, 2019, 12:21pm

With the output command you mentioned, I get the following error.

Out-File : A parameter cannot be found that matches parameter name ‘Path’.
At H:\Onedrive project\Hdrive_ReadDeleteonly.ps1:11 char:14

} | Out-File -Path H:\results.txt
CategoryInfo : InvalidArgument: ( [Out-File], ParameterBindingException
FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.OutFileCommand

Should I be using a different path command?

masterofthehat · November 8, 2019, 1:41pm

Should be -FilePath. Out-File (Microsoft.PowerShell.Utility) - PowerShell | Microsoft Docs

robsmith47 · November 12, 2019, 11:15am

I thank everyone who contributed their suggestions but now I need one more thing to set in the script.

Apparently the script worked perfectly, but now I need to ensure that “traverse folder” access is granted so that their H drive doesn’t disappear and show access denied.

What is the line to give traversal folder access with read only and delete only?

Any help is greatly appreciated.